Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 11
Multiple vulnerabilities in Microsoft Graphics Component
CVE-2016-7256
Memory Corruption
A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.
Software: Windows
Known/fameous malware:
Trojan Horse Exp.CVE-2016-7256.
Links:
https://technet.microsoft.com/library/security/ms16-132
https://www.symantec.com/security_response/writeup.jsp?docid=2017-011706-2200-99
http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://www.ghacks.net/2017/01/18/microsoft-windows-10-hardening-against-0-day-exploits/
http://www.removesoft-tips.com/exp-cve-2016-7256-removal-guide-how-do-i-remove-exp-cve-2016-7256-com...
https://hotforsecurity.bitdefender.com/blog/if-youre-going-to-use-windows-it-makes-security-sense-to...
http://www.digitaltrends.com/computing/anniversary-update-shielded-against-two-exploits/
http://www.thewindowsclub.com/windows-10-mitigate-zero-day-exploits
http://windowsreport.com/microsoft-windows-10-zero-day-exploit/
Privilege escalation in Windows 10
CVE-2016-7255
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.
Successful explotation of the vulnerability results in privilege escalation.
Note: this vulnerability is being actively exploited in the wild.
The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).
Software: Windows
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2016-110821-3527-99
https://technet.microsoft.com/library/security/ms16-135
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerab...
http://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-72...
https://cyware.com/news/one-bit-to-rule-a-system-analyzing-cve-2016-7255-exploit-in-the-wild-84cb5e1...
http://www.darkreading.com/endpoint/microsoft-november-security-updates-include-fix-for-zero-day-fla...
https://www.grahamcluley.com/pawn-storm-microsoft-zero-day/
https://nakedsecurity.sophos.com/2016/11/09/november-patch-tuesday-fixes-controversial-windows-0-day...
http://sensorstechforum.com/cve-2016-7255-67-vulnerabilities-addressed-microsoft/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The vulnerablity exists due to improper handling of objects in memory by the Internet Messaging API. A remote attacker can create a specially crafted content, trick the victim into opening it, bypass security restrictions and determine the existence of arbitrary files.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit Kit: Neutrino
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Links:
https://www.proofpoint.com/uk/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information...
https://technet.microsoft.com/en-us/library/security/ms16-118.aspx
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-...
http://www.securityweek.com/attackers-use-internet-explorer-zero-day-avoid-researchers
http://news.softpedia.com/news/microsoft-patches-four-zero-days-used-in-live-attacks-509222.shtml
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.beencrypted.com/attackers-uses-ie-edge-zero-day-avoid-researchers/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-3393
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
Software: Windows
Multiple vulnerabilities in Microsoft Edge
CVE-2016-7189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Edge
Links:
https://technet.microsoft.com/library/security/ms16-119
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-october-2016-p...
http://www.slideshare.net/LANDESK/october2016-patchtuesdayshavlik
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
http://www.dailystar.co.uk/tech/news/553358/Microsoft-Windows-10-critical-flaws-security-update-fix-...
Remote code execution in Microsoft Office
CVE-2016-7193
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling of malicious RTF files by Microsoft Word. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms16-121.aspx
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.symantec.com/security_response/vulnerability.jsp?bid=93372
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.networkworld.com/article/3130109/security/microsoft-released-10-patches-6-rated-critical-...
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351
Memory corruption
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.
Note: the vulnerability was being actively exploited.
Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.
Software: Microsoft Internet Explorer
Exploited By AdGholas and GooNky Malvertising Groups.
Links:
https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-G...
https://technet.microsoft.com/library/security/ms16-104
https://technet.microsoft.com/library/security/MS16-105
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29628
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie-...
http://securityaffairs.co/wordpress/51494/hacking/internet-explorer-exploits.html
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
http://www.securityweek.com/microsoft-patches-browser-vulnerability-exploited-attacks
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
http://www.securingcomputer.com/news/microsoft-patches-browser-vulnerability-exploited-attacks
http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-attack-for-nearly-thre...
http://techgenix.com/microsoft-patches-ie-malvertising-vulnerability/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kit: Magnitude, Neutrino, RIG, Sundown.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Links:
http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.
Software: Windows
Known/fameous malware:
PUNCHBABY or PUNCHTRACK Trojan.
Links:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:Win64/CVE-2016...
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://technet.microsoft.com/library/security/ms16-039 http://www.securitytracker.com/id/1035532
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-11-2016/
http://blog.cybersheath.com/adobe-and-windows-zero-day-exploits-in-the-wild
https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/
https://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-exploiting-windows-and-f...
http://sensorstechforum.com/windows-zero-day-exploited-to-steal-credit-card-data-from-us-companies/
http://www.securityweek.com/windows-zero-day-leveraged-financial-attacks
http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0165
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The Badlock vulnerability.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms16-039.aspx
https://threatpost.com/fruityarmor-apt-group-used-recently-patched-windows-zero-day/121398/
http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-cri...
https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-frui...
http://www.infoworld.com/article/3055572/security/dont-let-badlock-distract-you-from-real-vulnerabil...
http://news.softpedia.com/news/microsoft-releases-critical-windows-edge-browser-office-security-upda...
https://www.infosecurity-magazine.com/news/patch-tuesday-badlock-bulletin/
Remote code execution in Microsoft Silverlight
CVE-2016-0034
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.
Software: Microsoft Silverlight
Known/fameous malware:
Used in Angler, Hunter, RIG and Sundown Exploit Kit.
Links:
https://technet.microsoft.com/en-us/library/security/MS16-006
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-micro...
https://www.symantec.com/security_response/writeup.jsp?docid=2016-011507-1032-99
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angl...
http://www.broadanalysis.com/2016/03/21/silverlight-exploit-leads-to-teslacrypt-cve-2016-0034/
http://sensorstechforum.com/attack-involves-silverlight-exploit-cve-2016-0034-angler-ek-and-teslacry...
http://www.securityweek.com/hacking-team-leak-leads-discovery-silverlight-zero-day
http://www.securityweek.com/exploit-recently-patched-silverlight-flaw-added-angler
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top...
http://securityaffairs.co/wordpress/44774/cyber-crime/angler-ek-silverlight-exploit.html
https://blog.qualys.com/securitylabs/2016/01/14/hunting-for-vulnerable-functions-in-microsoft-silver...
http://www.zdnet.com/article/microsoft-silverlight-exploit-spotted-in-angler-kit/
http://www.zdnet.com/article/kaspersky-lab-discovers-silverlight-zero-day-vulnerability/
http://news.softpedia.com/news/hackers-wasted-their-time-adding-a-silverlight-exploit-to-the-angler-...
https://www.scmagazine.com/as-kaspersky-labs-researchers-predicted-exploits-of-silverlight-vulnerabi...
http://blog.morphisec.com/javascript-in-ie-overtakes-flash-as-number-one-target-for-angler-exploit-k...
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-kit/116409/
https://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-mac...
http://www.darkreading.com/vulnerabilities---threats/kaspersky-caught-scent-of-silverlight-zero-day-...